Are your security cameras out of date? Have your security cameras been recently banned by the US government?
During a recent TSCM survey of a residence, our client explained that they no longer controlled their home surveillance camera system, which had four exterior cameras and one interior camera. All cameras were known to the client, but they no longer had a way to monitor or review the footage due to being locked out of the account.
The interior camera lens was covered with duct tape to prevent observation and was in the residence’s main living room/ kitchen area where most conversations and activity occurred. The other four cameras were on the four corners of the exterior residence with overviews of the driveway and pool area.
All five cameras were observed to have audio capabilities, which was a feature completely unknown to the client and may have explained their recent security crisis.
All five cameras were hard wired to a digital video recorder (DVR) which then used the internet for remote access. Theoretically, if the cameras had audio enabled, conversations from the main living space of the residence, front driveway and the pool area could be recorded or monitored remotely by anyone with authorization. Covering the lens only eliminated part of a much bigger problem.
An additional concern was also observed. All the cameras and the DVR were observed to be manufactured by a Chinese company that had recently been banned by the Federal Communication Commission and National Defense Authority Act for being a national security threat. The homeowner had no idea.
The specific camera system in question, manufactured by Chinese supplier Hikvision, is banned for use at any US government facility or at any facility that does any business with the US Government. According to China’s National Intelligence Law 2017, companies such as Hikvision are required to support China’s national intelligence work.
The following camera systems and telecoms manufactured by Chinese suppliers Dahua, Hikvision, Huawei, Hytera Communications, and ZTE have been flagged as an unacceptable risk to national security. These IP camera brands were observed to be at risk of a major compromise via a remote code execution (RCE) vulnerability. The vulnerability is a command injection that is present in the Web server of these brands. Attackers can exploit the vulnerability to launch commands that allow them to gain complete root-shell access to an affected device; something that even the owners don’t have. This compromise could potentially be used to turn off the camera system for an undetected physical breach on a location. Or the cameras themselves could be exploited to eavesdrop on unsuspecting targets by using their own security system against them.
These camera systems have not been banned for general consumer use in the United States and can still be purchased on Amazon, likely at a discount and with no warning to the consumer that their cameras, most with audio, may be accessible to the Chinese government or sophisticated criminals. Home Depot, Best Buy and Lowes no longer sell the cameras even though the ban is not for consumer use.
Do you have a surveillance system at your home or office? Do you know if it is a system that has been recently banned? Do you work for or do business with the federal government? Are you inadvertently breaking any law with recently banned surveillance systems?
If you do business with the federal government or any allied government, you may want to check to see if your surveillance system complies with current regulations.